Open source software has many benefits, but unfortunately it is more suspectible to security attacks given its open nature. Kubernetes is no exception. Look no further than RedLock's report on how hackers infiltrated Aviva and Gemalto's Kubernetes clusters to mine cryptocurriencies. Even Tesla had an insecure Kubernetes dashboard open to the internet, which contained credentials to its AWS environment.
Leverege recommends working with a security company to harden and secure your Kubernetes cluster, however, here is a list of best practices to get you started.
An added benefit to using a managed Kubernetes service is that the service provider handles most of the security issues for you. For example, GKE manages the Kubernetes control plane (API server, scheduler, controller manager, and etcd) and addresses some of the CIS Kubernetes benchmarks by default.
The default configuration is frequently insecure for production. The good news is that fixing most of these vulnerabilities is a matter of clicking a button on the UI. CIS Google Cloud Platform benchmarks lists 18 different configurations with regards to Kubernetes. Most are enabled by default (Stackdriver logging/monitoring, using COS as the node image, etc.) and others are addressed by simply enabling automatic node repairs and upgrades.
Google also provides further instructions on hardening the cluster's security by adding network and pod security policies for granular control.
CIS also provides a list of benchmarks for Kubernetes separately. As mentioned above, a managed service will address most of these benchmarks, but if you are managing your own Kubernetes cluster, you can use these guidelines to secure the master and worker nodes.
Fortunately, the folks at Aqua Security open sourced a tool to run checks automatically against these benchmarks. You can run kube-bench on the cluster to generate a report along with recommended remediation steps.
Another quick way to secure Kubernetes clusters is to utilize a validator tool like polaris from Fairwinds or popeye. Both tools scan a cluster to audit what's running inside the cluster for best practices.
Polaris providees a dashboard to check results by the following categories:
- Health checks: readiness and liveness probes
- Images: pull policy and tags
- Networking: host network and ports
- Resources: resource (cpu and memory) requests and limits
- Security: security contexts (e.g. runAsRootAllowed: false)
At Leverege, adding proper healthchecks and defining resource limits vastly improved Kubernetes performance. For additional tips, check out:
- How to Set Kubernetes Resource Requests and Limits - A Saga to Improve Cluster Stability and Efficiency
- Fantastic Probes And How To Configure Them — A Kubernetes Story
Popeye runs additional checks on ConfigMaps, Service Accounts, Secrets, Persistent Volumes, and Pod Disruptiono Budgets to sanitize and detect potentially unused artifacts. This is a good tool if you have been using Helm 2 and did not specify max versions that are kept as Config Maps.
Alternatively, you can use these other tools to detect and fix common security issues: